CVE-2019-11500
published 2019-08-29CVE-2019-11500: In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0'…
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITW
Exploited in the wild
EPSS
62.32%
99.1th percentile
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | dovecot | < dovecot 1:2.3.7.2-1 (bookworm) | dovecot 1:2.3.7.2-1 (bookworm) |
| dovecot | dovecot | < 2.2.36.4 | 2.2.36.4 |
| dovecot | dovecot | >= 0 < 1:2.3.7.2-1 | 1:2.3.7.2-1 |
| dovecot | dovecot | >= 0 < 1:2.3.7.2-1 | 1:2.3.7.2-1 |
| dovecot | dovecot | >= 0 < 1:2.3.7.2-1 | 1:2.3.7.2-1 |
| dovecot | dovecot | >= 0 < 1:2.3.7.2-1 | 1:2.3.7.2-1 |
| dovecot | dovecot | >= 2.3.0 < 2.3.7.2 | 2.3.7.2 |
| dovecot | pigeonhole | < 0.5.7.2 | 0.5.7.2 |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in IMAP and ManageSieve protocol parsers — monitor for malformed quoted strings containing NULL bytes ('\0' characters) sent to Dovecot IMAP or ManageSieve ports ↗
- →Trigger condition is a specially crafted quoted string with embedded '\0' characters in IMAP or ManageSieve protocol traffic — inspect protocol-level data for NULL bytes inside quoted string literals ↗
- →Affected components: Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2, and Pigeonhole before 0.5.7.2 — use version detection to identify unpatched instances ↗
- ·The vulnerability is exploitable remotely via the IMAP and ManageSieve protocol parsers; both services should be considered attack surfaces and monitored independently ↗
- ·Dovecot on Red Hat Enterprise Linux 5 is out of support scope and will not receive a patch — deployments on this platform remain permanently vulnerable ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dovecot vulnerability
vendor_ubuntu·2019-08-28
CVE-2019-11500 Dovecot vulnerability
Title: Dovecot vulnerability
Summary: Dovecot could be made to crash or execute arbitrary code if it received
a specially crafted data.
USN-4110-1 fixed a vulnerability in Dovecot. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly
handled certain data. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
vendor_redhat·2019-08-28·CVSS 9.8
CVE-2019-11500 [CRITICAL] CWE-20 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
A flaw was found in dovecot. IMAP and ManageSieve protocol parsers do not properly handle the NULL byte when scanning data in quoted strings which leads to an out of bounds heap memory write. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Package: dovecot (Red Hat Enterprise Linux 5) - Out of support scope
Ubuntu
Dovecot vulnerability
vendor_ubuntu·2019-08-28
CVE-2019-11500 Dovecot vulnerability
Title: Dovecot vulnerability
Summary: Dovecot could be made to crash or execute arbitrary code if it
received a specially crafted data.
Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly
handled certain data. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Dovecot regression
vendor_ubuntu·2019-08-28
CVE-2019-11500 Dovecot regression
Title: Dovecot regression
Summary: USN-4110-1 introduced a regression in Dovecot.
USN-4110-1 fixed a vulnerability in Dovecot. The update introduced
a regression causing a wrong check. This update fixes the problem for
Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
We apologize for the inconvenience.
Original advisory details:
Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly
handled certain data. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Dovecot regression
vendor_ubuntu·2019-08-28
CVE-2019-11500 Dovecot regression
Title: Dovecot regression
Summary: USN-4110-1 introduced a regression in Dovecot.
USN-4110-1 fixed a vulnerability in Dovecot. The update introduced a
regression causing a wrong check. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly
handled certain data. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2019-11500: dovecot - In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7...
vendor_debian·2019·CVSS 9.8
CVE-2019-11500 [CRITICAL] CVE-2019-11500: dovecot - In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7...
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Scope: local
bookworm: resolved (fixed in 1:2.3.7.2-1)
bullseye: resolved (fixed in 1:2.3.7.2-1)
forky: resolved (fixed in 1:2.3.7.2-1)
sid: resolved (fixed in 1:2.3.7.2-1)
trixie: resolved (fixed in 1:2.3.7.2-1)
GHSA
GHSA-mqm8-r3v6-8mmv: In Dovecot before 2
ghsa_unreviewed·2022-05-24
CVE-2019-11500 [CRITICAL] CWE-787 GHSA-mqm8-r3v6-8mmv: In Dovecot before 2
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
OSV
CVE-2019-11500: In Dovecot before 2
osv·2019-08-29·CVSS 9.8
CVE-2019-11500 [CRITICAL] CVE-2019-11500: In Dovecot before 2
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes [fedora-all]
bugzilla·2019-08-29·CVSS 9.8
CVE-2019-11500 [CRITICAL] CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes [fedora-all]
CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
Bugzilla
CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
bugzilla·2019-08-14·CVSS 9.8
CVE-2019-11500 [CRITICAL] CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
CVE-2019-11500 dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.
Discussion:
Acknowledgments:
Name: the Dovecot project
Upstream: Nick Roessler (University of Pennsylvania), Rafi Rubin (University of Pennsylvania)
---
Analysis:
This is essentially a OOB write flaw into the heap. There are multiple ways in which this can be triggered:
1. Via IMAP pre-auth, attacker can write 8096 bytes on the heap.
2. Via IMAP post-auth, attacker can write 65536 bytes on the heap, after a successful login.
3. An authenticated user, can create specially crafted sieve rules, which when parsed c
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.htmlhttp://www.openwall.com/lists/oss-security/2019/08/28/3https://access.redhat.com/errata/RHSA-2019:2822https://access.redhat.com/errata/RHSA-2019:2836https://access.redhat.com/errata/RHSA-2019:2885https://dovecot.org/pipermail/dovecot-news/2019-August/000417.htmlhttps://lists.debian.org/debian-lts-announce/2019/08/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/https://security.gentoo.org/glsa/201908-29https://www.dovecot.org/security.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.htmlhttp://www.openwall.com/lists/oss-security/2019/08/28/3https://access.redhat.com/errata/RHSA-2019:2822https://access.redhat.com/errata/RHSA-2019:2836https://access.redhat.com/errata/RHSA-2019:2885https://dovecot.org/pipermail/dovecot-news/2019-August/000417.htmlhttps://lists.debian.org/debian-lts-announce/2019/08/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/https://security.gentoo.org/glsa/201908-29https://www.dovecot.org/security.html
2019-08-29
Published
Exploited in the wild